CVE-2026-34364 Overview
A broken access control vulnerability exists in WWBN AVideo, an open source video platform. In versions up to and including 26.0, the categories.json.php endpoint fails to enforce user group-based access controls on categories. This authorization bypass allows unauthenticated attackers to access restricted category information that should only be visible to specific user groups.
The vulnerability manifests in two exploitation paths: in the default request path (without the ?user= parameter), user group filtering is entirely skipped, exposing all non-private categories including those restricted to specific user groups. When the ?user= parameter is supplied, a type confusion bug causes the filter to incorrectly use the admin user's (user_id=1) group memberships instead of the current user's memberships, rendering the access control filter completely ineffective.
Critical Impact
Unauthorized disclosure of restricted video categories and content metadata to unauthenticated users, bypassing intended access control restrictions.
Affected Products
- WWBN AVideo versions up to and including 26.0
Discovery Timeline
- 2026-03-27 - CVE-2026-34364 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-34364
Vulnerability Analysis
This vulnerability represents a classic authorization bypass (CWE-863) combined with a type confusion bug affecting the category listing API. The root cause lies in the categories.json.php endpoint which serves category data without properly validating user permissions against user group restrictions.
The vulnerable code path has two distinct failure modes. First, when no ?user= parameter is provided in the request, the $sameUserGroupAsMe variable is set to false, which causes the Category::getAllCategories() function to skip user group filtering entirely. This exposes all non-private categories regardless of their access restrictions.
Second, when the ?user= parameter is supplied, the code sets $sameUserGroupAsMe to true (a boolean value). However, the downstream filtering logic appears to interpret this boolean as a user ID, causing a type confusion where the value 1 (boolean true coerced to integer) references the admin user's group memberships instead of the actual requesting user's memberships.
Root Cause
The vulnerability stems from improper implementation of user group-based access controls in the category API endpoint. The $sameUserGroupAsMe variable was incorrectly handled as a boolean flag rather than a user identifier, and the code path that should have applied user group filtering was bypassed in the default case.
Attack Vector
An attacker can exploit this vulnerability remotely over the network without authentication. By sending HTTP requests to the categories.json.php endpoint, attackers can enumerate and access restricted category information:
- Default path exploitation: Simply request /objects/categories.json.php without parameters to receive all non-private categories, bypassing user group restrictions
- Parameter-based exploitation: Supply any ?user= parameter value to trigger the type confusion, causing the filter to check against admin user permissions instead of the actual requester
The security patch addresses this by properly retrieving and using the current logged-in user's ID for filtering:
$_REQUEST['current'] = getCurrentPage();
$onlyWithVideos = false;
-$sameUserGroupAsMe = false;
if(!empty($_GET['user'])){
$onlyWithVideos = true;
- $sameUserGroupAsMe = true;
}
+// Always apply user-group filtering using the logged-in user's real ID.
+// Guests get -1 so getUserGroups returns [], leaving only unrestricted categories visible.
+$currentUserId = User::getId();
+$sameUserGroupAsMe = !empty($currentUserId) ? intval($currentUserId) : -1;
$categories = Category::getAllCategories(true, $onlyWithVideos, false, $sameUserGroupAsMe);
-$total = Category::getTotalCategories(true, $onlyWithVideos);
+$total = Category::getTotalCategories(true, $onlyWithVideos, false, $sameUserGroupAsMe);
//$breaks = array('<br />', '<br>', '<br/>');
foreach ($categories as $key => $value) {
$categories[$key]['iconHtml'] = "<span class='$value[iconClass]'></span>";
Source: GitHub Commit
Detection Methods for CVE-2026-34364
Indicators of Compromise
- Unusual access patterns to /objects/categories.json.php from unauthenticated users or unexpected IP addresses
- HTTP requests to the categories API endpoint with varying ?user= parameters, potentially indicating enumeration attempts
- Increased volume of API requests to category listing endpoints without corresponding authenticated sessions
Detection Strategies
- Monitor web server access logs for requests to categories.json.php from unauthenticated sessions
- Implement anomaly detection for category API access patterns that deviate from normal user behavior
- Deploy Web Application Firewall (WAF) rules to alert on suspicious parameter manipulation in category API requests
- Review application logs for category data access by users who should not have visibility to restricted categories
Monitoring Recommendations
- Enable detailed logging for the category API endpoint including request parameters and session context
- Set up alerts for high-frequency requests to categories.json.php from single IP addresses
- Audit category access logs periodically to identify any unauthorized data exposure
How to Mitigate CVE-2026-34364
Immediate Actions Required
- Update WWBN AVideo to a version containing commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9 or later
- Review category access logs to determine if the vulnerability may have been exploited
- Audit user group configurations and restricted category assignments for potential data exposure
- Consider temporarily restricting access to the categories.json.php endpoint until patching is complete
Patch Information
The vulnerability has been fixed in commit 6e8a673eed07be5628d0b60fbfabd171f3ce74c9. The fix modifies the categories.json.php file to always apply user group filtering using the authenticated user's actual ID. For guest users (unauthenticated), the user ID is set to -1, which causes getUserGroups() to return an empty array, ensuring only unrestricted categories are visible.
The getTotalCategories() function was also updated to accept and apply the same user group filtering parameter for consistency.
For additional details, refer to the GitHub Security Advisory GHSA-73gr-r64q-7jh4.
Workarounds
- Implement network-level access controls to restrict access to the category API endpoint from untrusted networks
- Configure a reverse proxy or WAF to require authentication for all requests to /objects/categories.json.php
- Temporarily disable the category listing API if not critical to operations until the patch can be applied
# Example: Block unauthenticated access to categories API via nginx
location /objects/categories.json.php {
# Require valid session cookie or deny access
if ($http_cookie !~* "PHPSESSID=") {
return 403;
}
proxy_pass http://avideo_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
